Senators Press IRS for SolarWinds Hack Briefing

“Given the extreme sensitivity of personal taxpayer information entrusted to the IRS, and the harm both to Americans’ privacy and our national security that could result from the theft and exploitation of this data by our adversaries, it is imperative that we understand the extent to which the IRS may have been compromised,” the senators wrote.

The lawmakers asked for details about how the IRS was mitigating potential damage, ensuring the hackers didn’t “still have access to internal IRS systems,” and what it was doing to prevent future hacks of taxpayer data.

The U.S. Treasury Department, where the IRS is housed, was breached in the hack, according to people familiar with an investigation into the hack, along with many other agencies, including the Commerce Department, State Department and Department of Homeland Security. The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and the intelligence community are all investigating the intrusion, as are private sector firms.

It isn’t known whether the IRS was specifically compromised, but the tax collecting agency is the largest Treasury bureau. Former intelligence officials have said that the Russians likely burrowed deeply into a range of systems and that the IRS would have been a lucrative target for them.

The Treasury Department has so far ignored private requests from Sens. Grassley and Wyden for a briefing on the hack, according to Senate Finance staffers. An IRS spokeswoman has referred questions about the hack to the Treasury Department, which has declined to provide details. Russia has denied responsibility for the hack.

In their letter, the senators noted a concern that the IRS appeared to have been a customer of SolarWinds, a Texas-based network-management firm whose software has been identified as the cause of the hack.

Investigators believe the hackers used a malicious update to a SolarWinds product called Orion beginning in March to compromise not just U.S. agencies but scores of private businesses across the globe. It couldn’t be determined whether the IRS specifically used the Orion software.

IRS executives have long been worried about potential breaches of the agency’s computer systems, which hold information about criminal investigations and audits along with Social Security numbers and financial data on hundreds of millions of Americans.

“The IRS is responsible for safeguarding a vast amount of sensitive financial and personal data involving every taxpayer and business in the nation,“ Mr. Rettig said last year in announcing the agency’s six-year information technology modernization plan. ”This is an area where we cannot fail for the safety of our nation, and modernizing our technology is critical to stay ahead of constant cyberattacks on our systems.”

The IRS has struggled to replace outdated computer systems that are more vulnerable and more expensive to maintain, but it hasn’t suffered a major breach that exposed its core taxpayer data. The 2019 plan said the IRS faces 1.4 billion cyberattacks each year.

An inspector general’s report in September found some satisfactory performance but deficiencies in other areas. The report warned that some taxpayer data could be vulnerable.

Congress has been cutting the IRS budget or holding it flat for much of the past decade. Mr. Rettig and his predecessors have been urging lawmakers to spend more for technology modernization as well as enforcement.

Government officials and cybersecurity experts are still working to understand the scope and the severity of the hack, but many believe it is likely one of the most significant intelligence failures on record. In a statement late Wednesday, multiple security agencies investigating the hack described it as a “significant” and “ongoing” intrusion.